Last visited

Community Reputation

About LordLandon

Yes, the GTS is terribly insecure..
No, the last four bytes at the end of exchange aren't "null" they're the PID of the trainer you want to do the exchange with (remember? stateless.)
Yes, you could fsck with the GTS and delete all the pokemon for the lulz - but the reason none of us have released client code (to work against the real GTS) is that we do not advocate it. At all. It's one thing to mess with your own game/server, it's another to go ruining the experience for everyone using the real GTS.

Binary junk with the content-type header of text/html, at that q=
my setup is simply dnsspoof substituting replies to gamestats2.gs with my IP, and mod_rewrite in lighttpd
url.rewrite =("^/pokemon.+([?].*)" => "/gts.py$1")
which rewrites all requests to /pokemon.* to, /gts.py which uses the requested_url environ variable to figure out what to do.
I've got a fully working GTS server running there atm, with searching and trading, from within my regular wobserver C=

That's not an error. Besides gamestats2, the DS connects to conntest, and nas. (The former to test that it has interweb, and the latter to do some sekrit magic voodoo that gives it a PID if it doesn't have one)

If it tells you 0.0.0.0 or 127.0.0.1, sorry, but you're going to have to find the IP address of the computer yourself - you can look in your network properties (i think it's under some detailed tab). In the meantime, I'll see if there's a more reliable way of getting that IP.

Well, you found a limitation, but a different one - that .pkm is from a box, and consists of 136 bytes. Atm, the script only works with "party" pkm which consist of 236 bytes. I will fix this soon - sorry!

Poryhack: Yes, thanks for the tip about 2.6 (= also, you can be my tester for using the wifi adapter: since it doesn't let you change the dns settings in your ds, it must be using the same settings that your computer uses - try changing the DNS server in your regular network settings.
Pingouin7: I'm glad you're enjoying it! Be sure to post anything that causes it to break, so that it could be fixed.

Great. Windows issues fixed - unzip the archive, and drag a .pkm or a .zip to sendpkm.py. I seem to have fixed platinum's communication error by making the script wait for the animation to finish before closing, as it seems the game still wants the socket open after that. I now also have sendpkm put together the 56 byte ending, or at least some of it. This fixes some nasty problems, especially in platinum which seem to be anti-cheating measures of some sorts.
Nonetheless, it's still not perfect, and I would advise having a full party when you go to do this, because otherwise you'll end up with the sent over pokemon having a capsule attached, with no easy way to detach it (save sending it to real gts, and picking it back up, or trading to another game). So have a full party, and look in the first box of your PC afterwards and it should be fine.
For those more interested in the details, the second time stamp I found in the 56 bytes seems to be the traded-away time. I still have no clue what the last four bytes are. And I'm starting to think the server-bound encoding involves the PID somehow.
That is all for now.
EDIT: BUT WAIT! THERE'S MORE! Now it seems to work exactly right, no more stupid capsule problems, use with confidence (= (I've updated the attachment.)
sendpkm.zip

Attached is a script that will allow you to send a .pkm to your game cart without any special hardware, through the GTS. In order to run, you need to have python installed on your machine which is freely available at python.org and should run on any OS. On linux, and osx the script needs superuser privileges because it needs to bind to two ports bellow 1024. I'm not sure, but on vista+ it might need to be run as admin.
EDIT: It's been pointed out to me that it doesn't seem to work on windows after all |= I'll figure it out once I get access to a windows xp machine, but for now - sorry )=
How it works, is you unzip sendpkm.zip, put your .pkm in the same folder as the .py files you get, run sendpkm.py, and enter the full filename of your .pkm when it asks you for it. After that, it'll tell you to set your DS's DNS server to something, you can do that from the title screen of the pokemon games, in WFC settings.
Tap "no" for auto-obtain DNS, and enter the IP the script gives you for the primary DNS server.
After that, you just head into the GTS, and your .pkm should come flying!
There's some communication error occurring on platinum after you get it, that I've yet to figure out - but regardless, the poke is still there after you restart your DS.
Don't forget to set your WFC settings back when you wanna play with the real server!
Also attached are 56.txt, which is an explanation of all but the last four of the mysterious 56 bytes we were getting appended to the search results, and depundep.txt for anyone who wants to take a shot at the deposit pokemon encoding.
ENJOY YOUR POKEYMANS!
Things left to do (in order of usefulness/importance):
a pokemon info displayer thing to provide detailed info on search results
figure out depositing encoding
figure out hashing algorithm
depundep.txt
56.txt

So here's what I have as of now:
because http is used for the communication, every time the DS wants to make a request from the server, (after the initial connect) the exchange is as follows:
DS gets whateverpage.asp?pid=[pid], and the server returns a 32-byte string
the DS then gets whateverpage.asp?pid=[pid]&hash=[40 byte hash of 32-byte string]&data=[encoded request]
the pid is *not* wifiid dependent since it remained after i connected to wifi with a different DS. either way, it's gotta be in the save file somewhere.
the hash is a hash of *only* the secret string the server sends as a challenge - i've tried different combinations of ds/game/pid while keeping the same challenge string, and the hash came out the same each time
the search results include the full 236 bytes of pokemon! (this makes more sense due to the total length per search result is 292 bytes, and because there are 236 bytes reserved for "pokemon in gts" at the end of the save file)
this leaves 56 extra bytes to contain the requested stuff 0x04-0x05 is the national dex # of the requested poke, 0x6 i *think* is the requested gender. 0x7 is the min level, 0x8 is the max level.
we'll post more as we learn more.
attached is a zip of a bunch of the conversations that went on between DS and server, the \ndone---done\n being a separator between each response/request (made it easier for me to parse, not part of the exchange). of small note is that platinum sets some profile thing as part of authenticating to the gts
gtcstuff.zip